Re: [sacm] Revised ID Needed: draft-ietf-sacm-coswid-21
Roman Danyliw <rdd@cert.org> Thu, 19 May 2022 00:53 UTC
Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0350C1D3C48 for <sacm@ietfa.amsl.com>; Wed, 18 May 2022 17:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhlB3fzY2J-l for <sacm@ietfa.amsl.com>; Wed, 18 May 2022 17:53:38 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0132.outbound.protection.office365.us [23.103.208.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44758C1D351F for <sacm@ietf.org>; Wed, 18 May 2022 17:53:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=aU9alZrs2Xr6a74cZWf7qPdwyBCoaZBbrUzV2W0+U4IW/GmpeFCqJudU75hwXFJNd0aPIlPRWcMKMW/apqzM0ymG6vGi4gsVtVlBA1rYPPKsGc++CuOwpEa3aaHiV+Hf1j/DoCg061TNFOkCVrQBQkaSJQc7+VHHYfDc1decGW7AOnnBudZxvnUKnC6eiW3XH3IbgqeQF7+o7O/IHp8AMC9C+F7fhKbaPEbxbZlbWxAlFo1OW6BUnSHH0vHrLda4XLDKYW3Q3nAh+6KkF/J+lN0xhmct302C8urk+bDTT4oM5/xkx5d6KZmDz842qhdhjHaJGW3d4GxcsaIMUjFvkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bsrkTBUpWLT2j2sMX6+FxyGhrs1euDEd8u9zwUriS1Y=; b=STSmTooMM0PpSI4SMWlO30HPSRQBiNjARS3J2y+SPAq0ejJPOElBXfATqrfPCEAfEW8hl+VT2pXolwFeTZqlTQFdb3SqvOFICcEKjRl5MwfmQ3OtO/lRBiH9jInrlAo7qm/A0rWskd1Varrt06AIAaF6ZTO7+YHwZaygpEzLYUYyGRuFTmrDwMRje+BIZP6jz+0JY0myUI3rFdEwONQiO66TMF3TZJk9l7MnwWO0u/W5AnpvqdkiwuAvGzPvmkvGOC87dYkTLp/rH2ou9I2DkuyZVDz3OrtJvIXysoSVeTNx5FhXnY12rfWGkijhY4YuRdho/yNXDwxnzJZiv2h+mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bsrkTBUpWLT2j2sMX6+FxyGhrs1euDEd8u9zwUriS1Y=; b=A7jLpKwU41pf4I75YV7zjKnA/nWSuO0mTmjEzLxAH2199ne7JOspV0LTetLdoQYmya/D9f1aEjUemIkMOjEr4FeNcT75PE8JELtEFxKvKRCXHewoABjnzdQOyCvi4rNnMY4Dh8VG3qBAJsHHDgKjTvliuB1jp8WACeEm60ExJXw=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1336.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.27; Thu, 19 May 2022 00:53:00 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::713b:2cff:b2c4:17b2]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::713b:2cff:b2c4:17b2%3]) with mapi id 15.20.5250.018; Thu, 19 May 2022 00:53:00 +0000
From: Roman Danyliw <rdd@cert.org>
To: Roman Danyliw <rdd@cert.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Revised ID Needed: draft-ietf-sacm-coswid-21
Thread-Index: AdhhS5Y4/3W06pJaSjCO4dXQo6Z1OwJzpq1A
Date: Thu, 19 May 2022 00:53:00 +0000
Message-ID: <BN2P110MB11070317A37B1E192A3D0409DCD09@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107B6F79F45E9E7EFE86A82DCC59@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107B6F79F45E9E7EFE86A82DCC59@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 294857f2-5186-417d-1769-08da3931ec0f
x-ms-traffictypediagnostic: BN2P110MB1336:EE_
x-microsoft-antispam-prvs: <BN2P110MB13368859FF360005AD33DA12DCD09@BN2P110MB1336.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rMjO3533aJGU4ZrHKVNyn3nfdqXGKUTblhtTICJ0gz7EFESIAOQ7jOwz5s5sCHzixICWL5G53xHPyh8FhEEXIEBclnGNno6NhYDFcufiJ9KEvlFJSjilSAzp97s++lMerhEpP9YVaQRdDmwKagSU27FYpOw4vVN33qTr/v0K8uO1xhDhvsAYlHDy9ber+tSWXX0jZl6x4J/6uvE9VKdVgRCyH3rVW9CG6r1WR7QpzH2oDxZuNOtpajo1wwKbQaFC7chWu9+8NI/36StQcmMkWsjFkUUXHjb/pPxF+Or4p3D5JkN8k9rUsuOS8poGksVGwzBDHhpb1lGHfvsYm6EDscz7zi1+t338rIN3cEG0Y4Dv5Xez1KWcmOkwOT90HPuQJKI9dHCXf0KdOz8CAL1At8hLm9dN29syyXoCTJf98DwVt6PvjXrH9oteq4XP4mXBtIPYhOUjPOAL4ZmlzaSHQiuwb0vOFOLEi+pFqStZL6F8aGSgUQyPppnMQrcsy7XKegUzwj0UtmpPt7gubg8CocXmDT7nURzthTY1CMmEjJGEMd3LGITwsKZgqc+GtLuqTgc9JF7jiz5A18vl3JyQ4gNIAshX8QEehpPp+5XLqke+azWE+VlvfEBl9yLTFTNcnAV+dYPL10AN0ydodA568WlF+CsK7FaZhfBSNNUU3c8/DjG/8tyQF0hrHTa6yKQi3TMex0cmVBjcyxGniEPplQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(82960400001)(33656002)(8676002)(55016003)(8936002)(52536014)(64756008)(66446008)(966005)(66556008)(498600001)(76116006)(86362001)(2906002)(66476007)(66946007)(110136005)(38100700002)(26005)(122000001)(186003)(6506007)(38070700005)(9686003)(83380400001)(53546011)(71200400001)(5660300002)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hKhpjGA6WHRRfGFJGj1uhBy49ELpa+XKUNzoXf0FQNfVPVvu6bWuLp1PySwN+BmckfumXmR3lvcaKp/PcNm1nQnSKwkrZFKPKT3r1jKvUAkf8Qx7E8UyIN70/Co3bSBGkVv1sE8Za4q1H+JlzLP2uvTwIUtczT2vOwyd8K8bU6CaZVDmsCYaDavJRyVyligLPzHrIHLCAM6nsJ8OAzu5sV/evW4wfNlrxEXbddEbdb6XtlnKZydfLWrOrkUZ1n2+LAKtk8nt7agsuc2UsfkfZ7eg6CF4SAaIqH5FQIpn7MESi2YIGC6TxTr2W9PIIzLnRjFXQhF7knIFcJs6GqBDAmWCX/D97KT9fzeEr5gun/kDs7HMgOftEbHs6UavN3H8s+xtTQKG861hR1PtBMW7/crH3nzn46I/PPm//C7B35k=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 294857f2-5186-417d-1769-08da3931ec0f
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2022 00:53:00.2626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1336
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/Qx263Vaf1naGNXpMGfuNTBEKDk4>
Subject: Re: [sacm] Revised ID Needed: draft-ietf-sacm-coswid-21
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2022 00:53:40 -0000
Hi! I was asked to provide a suggestion on how to resolve at least part of Rob's ballot. My proposal for part of this resolution would be remove a binding between this document and future versions of the SWID, and be clear on the compatibility. Per Section 1. OLD While an attempt to align SWID and CoSWID tags has been made here, future revisions of ISO/IEC 19770-2:2015 or this specification might cause this implicit information model to diverge, since these specifications are maintained by different standards groups. NEW Every attempt was made to align the formats SWID and CoSWID tags. The design of CoSWID allows for a CBOR equivalent representation of any information that can be found in a valid SWID tag per [SWID]. However, CoSWID defines an extension mechanism to its information model via the IANA registries defined in Section 6. This mechanism allows for additional data elements not defined in this document to be added to CoSWID. These additional data elements would have no equivalent representation in [SWID]. The IANA registries were designed to allow for the possibility of reuse by other data formats. Regards, Roman > -----Original Message----- > From: sacm <sacm-bounces@ietf.org> On Behalf Of Roman Danyliw > Sent: Friday, May 6, 2022 9:26 AM > To: sacm@ietf.org > Subject: [sacm] Revised ID Needed: draft-ietf-sacm-coswid-21 > > Hi! > > Thanks for publishing -21 in response to IESG review. I was asked to clarify why > draft-ietf-sacm-coswid-21 is in "Revised ID Needed" state -- a number of > COMMENTs from the IESG review still need attention. Specifically: > > [Source: https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/ballot/] > > ==[ snip: Francesca's position ]== > Francesca Palombini No Objection > > 1. ----- > > * If the patch item is set to "true", the tag SHOULD contain at > least one link item (see Section 2.7) with both the rel item value > of "patches" and an href item specifying an association with the > software that was patched. > > * If the supplemental item is set to "true", the tag SHOULD contain > at least one link item with both the rel item value of > "supplemental" and an href item specifying an association with the > software that is supplemented. > > FP: This is missing text about why these are SHOULD and not MUST or MAY. I > agree with John Klensin, who formulated it very clearly: > > If SHOULD is used, then it must be accompanied by at least one of: > (1) A general description of the character of the exceptions and/or in what > areas exceptions are likely to arise. Examples are fine but, except in plausible > and rare cases, not enumerated lists. > (2) A statement about what should be done, or what the considerations are, if > the "SHOULD" requirement is not met. > (3) A statement about why it is not a MUST. > > [Roman on -21] Thanks for the new language. It doesn't appear to provide > much clarification. The preamble to the bulleted list says "If any of these > constraints is not met, a signed tag cannot be used anymore as a signed > statement." > > ** I don't follow what "cannot be used anymore" means. Is that saying that a > tag is signed with a valid signature, but the contents don't make sense so it > should just be ignored? > > ** I'm not sure how to assess conformance when the four subsequent bullets > include a MUST (bullet 1), SHOULD (bullet 2), SHOULD (bullet 3) and MUST > (bullet 4). If one treats conformance with the mindset of boolean algebra - the > bullet 2 and 3 are irrelevant because the weaker SHOULD could go either way. > > > 2. ----- > > *r artifact (index: 37): To be used with rel="installation-media", > > FP: Should "installation-media" be "installationmedia" instead? > > [Roman on -21] Please fix > > 3. ----- > > * date (index 35): The date and time the information was collected > pertaining to the evidence item. > > FP: Please add a reference to Section 3.4.1 [RFC8949] and mention that > this is the standard date/time string. > > [Roman on -21] This seems like a helpful clarifying refence for the reader. > > 4. ----- > > space, the "decimal" version scheme SHOULD be used. > > FP: Here (and following bullets) is another case that either requires a better > context description about the use of SHOULD, or should be rephrased (possibly > avoiding the BCP 14 SHOULD) for example: > > space, it is expected that the "decimal" version be used. > > [Roman on -21] Thanks for the next text of "the "decimal" version scheme > SHOULD be assumed." I don't see how it doesn't simply state ("be used" ==> > "be assumed") responds to the ambiguity issued suggested by this COMMENT. > Are the "SHOULDs" in these three bulleted clauses needed? > > ==[ end ]== > > ==[ snip: Rob's position ]== > > Robert Wilton (was Discuss) No Objection > > Comment (2022-03-21) > Hi, > > I've discussed this with Roman and Henk and I've agreed to remove my discuss > so that the document can be approved and move forward before the new IESG > handover. > > The proposal for the two issues below are: > > (1) I think that it would be helpful to have a liaison statement between the > SACM WG and ISO that confirms the ongoing expectation and evolution of > SWID and CoSWID, i.e., my understanding is that ISO intends to reuse the IANA > registry and I think that it would be good to get that more formally confirmed > now whilst everyone agrees, so that this doesn't end up being a problem in > future when participants have changed and moved on to new projects. This > doesn't need to block the progression of this document, it could be done in > parallel. I also don't think that this had to be written into the document, but > possibly a comment in the document may be helpful to set the context for > future readers. > > [Roman on -21] Rob cleared his DISCUSS on faith to ensure this document > didn't lose positions in the AD turnover at IETF 113. I have seen no explanation > to back to Rob. > > I share Rob's concerns. The coevolution of this specification with SWID has > been a moving target. When I first inquired about this during AD review in > October 2020 (https://mailarchive.ietf.org/arch/msg/sacm/lZsk8wlOprU- > WKPxgQAYLfBzDdE/), I heard that CoSWID would independently evolve via it's > self-defined IANA registries. That was consistent with the current text which > effectively positioned this document as a fork. During IETF LC OPSDIR > directorate review (https://datatracker.ietf.org/doc/review-ietf-sacm-coswid- > 18-opsdir-lc-bradner-2021-08-07/) the story changed to SWID now planning to > use the IETF registries which suggests that they would co-evolve. This intended > co-evolution was the motivation for keeping certain IANA registry names > "swid" as opposed to "coswid". However, the document still has the following > text in Section 1 (which seems to contradict the co-evolution idea): > > While an attempt to align SWID > and CoSWID tags has been made here, future revisions of ISO/IEC > 19770-2:2015 or this specification might cause this implicit > information model to diverge, since these specifications are > maintained by different standards groups. > > Can the current swid-coswid coevolution plan be explained? Can the basis of > this plan also be clarified - one approach could be a liaison statement. > ] > > In addition to this discussion, I believe this document needs to clearly set > expectation for implementers with the information we have now - is this > CoSWID document (a) an alternative data model for 19970-2:2015/SWID in > CBOR with full feature parity (i.e., if I can do it in 19970-2:2015, I can do it > CoSWID; and vice versa); or (b) a forked data model of 19970-2:2015/SWID in > CBOR that has additional capability (i.e., don't assume that just because > something can be represented in the CoSWID data model, that it can be > converted/represented in 19970-2:2015 SWID). Please refine this limited set of > expectations as appropriate. > > (2) Regarding the Semver 2.0.0 reference, the suggestion from Roman, which I > agree with is that it would be better if the SEMVER reference cited the ITU > SWID spec as the normative reference and the current accurate github > reference becomes informative. > > [Roman on -21] [SEMVER] is still a normative reference. > > > ==[ snip: from Ben ]== > > >From -20 to -21 a number of internal references changed from Section > >2.5 > to "Section 2.4, paragraph 2", which mostly don't seem to make sense to me. > Please double-check. > > Section 2.3 > > * version-scheme (index 14): An integer or textual value > representing the versioning scheme used for the software-version > item, as an integer label with text escape (Section 2, for the > > needs a close paren somewhere > > [Roman on -21] Please fix > > Section 9 > > Converse, generators of CoSWID tags need to ensure that only public > > "Conversely" > > [Roman on -21] Please fix. > > ==[ end ]== > > Regards, > Roman > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm
- [sacm] Revised ID Needed: draft-ietf-sacm-coswid-… Roman Danyliw
- Re: [sacm] Revised ID Needed: draft-ietf-sacm-cos… Henk Birkholz
- Re: [sacm] Revised ID Needed: draft-ietf-sacm-cos… Roman Danyliw